Radically trim down winbind?
Rowland Penny
repenny241155 at gmail.com
Fri Nov 4 11:50:37 UTC 2016
On Fri, 4 Nov 2016 12:44:46 +0100
Volker Lendecke <vl at samba.org> wrote:
> On Fri, Nov 04, 2016 at 10:56:37AM +0000, Rowland Penny wrote:
> > > Yes, and that purpose is just a wrong use. Even for 50 users. We
> > > have wbinfo -t, wbinfo --ping-dc and other tests like wbinfo -n
> > > domain\\administrator. What we could do is move the complex logic
> > > to list users into the wbinfo binary if this is such a critical
> > > feature to have under the wbinfo command. Alternatively we can
> > > provide a descriptive message to use wbinfo --ping-dc when
> > > someone types in wbinfo -u. Or turn wbinfo -u/-g into wbinfo
> > > --ping-dc if people are so used to typing wbinfo -u to test DC
> > > connectivity.
> >
> > It is not that people are used to typing 'wbinfo -u', it is that
> > just about every 'howto create a DC' out there on the internet
> > tells you to do this ;-)
>
> On the DC itself the story for the locally hosted users is completely
> different. There we have access to the right credentials, we could
> even access sam.ldb if we wanted to (do we? ;-)). It is Samba as a
> member or a trusting dc that should not enumerate anything remotely.
>
> Volker
Oh dear, just checked this page on the wiki:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
and under the heading 'Testing Winbindd user/group retrieval' there is
this:
wbinfo
You first need to check that Winbindd is able to retrieve domain users and groups. On a successful setup, the following commands will print all users/groups in your domain:
# wbinfo -u
administrator
krbtgt
guest
...
# wbinfo -g
enterprise admins
domain computers
domain admins
...
So, even we are doing this.
Rowland
More information about the samba-technical
mailing list